AEPD - PS/00168/2020
|AEPD - PS/00168/2020|
|Relevant Law:||Article 6(1) GDPR|
|National Case Number/Name:||PS/00168/2020|
|European Case Law Identifier:||n/a|
|Original Source:||aepd.es (in ES)|
|Initial Contributor:||Pablo Rossi|
AEPD fined VODAFONE ESPAÑA EUR 75,000 for an infringement of article 6(1) GDPR. Advertising SMS were sent to the complainant, despite that his personal data had been erased in 2015. National administrative law attenuating factors were invoked, leading to a reduced fine of EUR 45,000
English Summary[edit | edit source]
Facts[edit | edit source]
The reason for the complaint is that, after the erasure of the claimant's personal data in 2015, he continued to receive advertising SMS messages on his mobile line. Vodafone, in its communication with AEPD, stated that they carried out the relevant checks and established that the reason why the claimant was able to receive such SMS is that his personal data could have been visible in their customer data management systems. In the same communication, Vodafone stated that a series of blockages had been made in the system that prevent, for advertising purposes, the further use of the telephone number of the claimant.
Dispute[edit | edit source]
Does continuing to send advertising messages after an erasure of personal data constitute a violation of Article 6(1) GDPR?
Holding[edit | edit source]
AEPD considered that the documentation provided offers evidence that Vodafone violated Article 6(1) of the GDPR, by processing the claimant's personal data without any legitimate reason. The fact that it was a non-intentional negligent action, that basic personal identifiers were affected and the continued nature of the infringement were considered aggravating factors, determining the amount of the fine in EUR 75,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed fine. On June 16, 2020, Vodafone proceeded to pay the sanction in the amount of EUR 45,000 applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 936-031219 • Procedure Nº: PS / 00168/2020 RESOLUTION R / 00335/2020 TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00168/2020, instructed by the Spanish Agency for Data Protection to VODAFONE ESPAÑA, SAU, having regard to the complaint presented by AAA, and based on the following, BACKGROUND FIRST: On June 24, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VODAFONE ESPAÑA, SAU ( hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00168/2020 935-200320 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and based on the following: ACTS FIRST D. AAA ( hereinafter, the claimant) on December 29, 2019 filed a claim with the Spanish Agency for Data Protection. The claim is directed against Vodafone España, SAU with NIF A80907397 (hereinafter, the claimed one). C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 2/11 The reasons on which your claim is based are that after deleting your personal data in 2015, you continued to receive advertising SMS messages on your mobile line (*** TELEPHONE 1). SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, the General Sub-Directorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the Investigative powers granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section , of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigation actions carried out, it is verified that the person responsible for the treatment is the one claimed. Likewise, the following points are found: On April 15, 2020, the respondent states that after carrying out the appropriate investigations into what happened, they have proceeded to send a letter to the claimant, informing him of the steps that have been carried out by Vodafone in response to his claim (attached copy of the letter sent). They add that the claimant's data is correctly deleted in their computer systems related to the management of customer data, by virtue of the request to exercise the right to cancel them made by him in May 2015. The reason for which could have received the SMS messages could have been because their personal data had been visible in their customer data management systems, or there had been some type of error of the claimed when managing the cancellation of such data. On the other hand, they point out that the main reason is that this number has been used by both collaborating agents and Vodafone employees as it is a simple number to remember and quick to write, therefore, a "dummy" number, how use in certain activities and processes. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 3/11 Finally, it points out that the complainant has implemented a series of actions in order to avoid the misuse of the aforementioned number (which are detailed), among them that real and updated information must be included in the client's files, which does not Data can be invented or others used that they consider implausible that they may belong to a client, such as the aforementioned number. A series of blockages have been made in the system that prevent, for these purposes, the use of said numbering. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this process. II The defendant is charged with committing an offense for violation of Article 6 of the RGPD, " Legality of the treatment ”, Which indicates in section 1 the cases in which the processing of third-party data is considered lawful: "one. The treatment will only be lawful if at least one of the following conditions is met: a) the interested party gave their consent to the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures; (…) " C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 4/11 The offense is typified in Article 83.5 of the RGPD, which considers as such: "5. Infringements of the following provisions shall be penalized, in accordance with section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total global annual business volume of the previous financial year, opting for the one with the highest amount: a) The basic principles for the treatment, including the conditions for consent in accordance with articles 5,6,7 and 9. " The Organic Law 3/2018, of Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading “ Violations considered very serious " has: "one. Based on what is established in article 83.5 of Regulation (EU) 2016/679, infractions that imply a substantial violation of the articles mentioned therein and, in particular, the following will prescribe after three years: (…) a) The processing of personal data without the concurrence of any of the conditions of lawfulness of the treatment established in article 6 of Regulation (EU) 2016/679. " III The documentation in the file provides evidence that the complained party violated article 6.1 of the RGPD, since it processed the claimant's personal data without having any legitimacy to do so. The respondent has recognized this error and has indicated that one of the causes that motivated the sending of the SMS to the claimant is that said number has been used by both collaborating agents and Vodafone employees as it is a simple and fast number to remember to write, therefore, a “dummy” number, how to use it in certain activities and processes. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 5/11 However, and this is essential, the respondent does not prove the legitimacy for the treatment of the claimant's data. IV The determination of the sanction to be imposed in this case requires observing the provisions of articles 83.1 and 83.2 of the RGPD, precepts that, respectively, provide the following: "Each supervisory authority shall guarantee that the imposition of the administrative fines in accordance with this article for the infringements of this Regulation indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive." " Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case, the following will be duly taken into account: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) Any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the controller or the processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 6/11 h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved under Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement. " ( The underlining is from the AEPD) In order to specify the amount of the sanction to be imposed on the claimed person for violation of article 83.5.a) of the RGPD, it is essential to examine and assess whether the circumstances described in article 83.2 of the RGPD exist and if they intervene mitigating or aggravating the responsibility of the responsible entity. In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purpose of setting the amount of the fine to be imposed in this case, the claimed party is considered responsible for an offense typified in Article 83.5.a) of the RGPD, in an initial assessment, the following factors are considered concurrent. As aggravating factors the following: - In the present case we are dealing with an unintentional negligent action, but identified significant (article 83.2 b). - Basic personal identifiers (name, an identification number, the line identifier) are affected (article 83.2 g). - Any previously committed offense (article 83.2 e). - Section k), in relation to article 76.2 of Organic Law 3/2018, in which the continued nature of the offense attributed to the claimed is framed as an aggravating factor. That is why it is considered appropriate to graduate the sanction to impose on the claimed and set it at the amount of € 75,000 for the violation of article 6 of the RGPD. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 7/11 Therefore, based on the foregoing, By the Director of the Spanish Agency for Data Protection, HE REMEMBERS: 1. START SANCTIONING PROCEDURE against VODAFONE ESPAÑA, SAU, with NIF A80907397, for the alleged violation of article 6 of the RGPD typified in article 83.5.a) of the aforementioned RGPD. 2. APPOINT Mr. BBB and as secretary to Dña. CCC, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). 3. INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its attached documentation, the information requirements that the General Sub-Directorate of Data Inspection sent to the claimed entity in the preliminary investigation phase and their respective acknowledgments of receipt . 4. THAT, for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the corresponding sanction would be 75,000 euros (seventy-five thousand euros), without prejudice to what results from the instruction . 5. NOTIFY this agreement to Vodafone España, SAU, with NIF A80907397, granting it a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In your statement of allegations, you must provide your NIF and the procedure number that appears at the top of this document. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 8/11 If within the stipulated period no allegations are made to this start-up agreement, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed is a fine, you may acknowledge your responsibility within the term granted for the formulation of allegations to this initiation agreement; which will entail a reduction of 20% of the sanction to be imposed in this procedure. With the application of this reduction, the penalty would be set at 60,000 euros, resolving the procedure with the imposition of this penalty. In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 60,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the one that corresponds to apply for the acknowledgment of responsibility, provided that this acknowledgment of responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions should be applied, the amount of the penalty would be set at 45,000 euros. In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above, 60,000 euros or 45,000 euros, you must make it effective by entering account no. ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection at Banco CAIXABANK, SA, indicating in the concept the reference number of the procedure that appears in C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 9/11 the heading of this document and the cause for the reduction of the amount to which it applies. Likewise, you must send proof of entry to the General Inspection Subdirectorate to continue with the procedure in accordance with the amount entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of actions; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Sea spain marti Director of the Spanish Agency for Data Protection >> SECOND: On July 16, 2020, the defendant has proceeded to pay the penalty in the amount of 45,000 euros making use of the two reductions provided in the Initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations at the beginning of the procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and the recognition of responsibility in relation to the facts to which the Agreement refers Of start. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in art. 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 10/11 it is competent to sanction the infractions that are committed against said Regulation; the infractions of article 48 of the Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of article 84.3 of the LGT, and the infractions typified in articles 38.3 c) , d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the information society and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading “ Termination of sanctioning procedures ”Provides the following: "one. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it fits impose a penalty pecuniary and another of a non-pecuniary nature but the inadmissibility of the second has been justified, the voluntary payment by the presumed responsible, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of compensation for damages caused by the commission of the offense. 3. In both cases, when the penalty is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. Reduction percentage provided in this section it may be increased by regulation. In accordance with the above, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: DECLARE the termination of the procedure PS / 00168/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, SAU. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to the provisions of art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the interested parties may file an administrative contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions in article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es 11/11 Mar España marti Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es